Relevant to the recent thread
3 views
Skip to first unread message
Alan Karp
Jun 12, 2025, 11:55:21 PMJun 12
to <friam@googlegroups.com>, cap-...@googlegroups.com
Seen at Identiverse
--------------
Alan Karp
John Kemp
Jun 13, 2025, 12:02:39 PMJun 13
to cap-...@googlegroups.com
A couple of related items:
1. The creator/wearer of that shirt told me he is planning to create a store and sell those shirts.
2. He works for AWS, where there is a very specific "confused deputy" problem - cross-account access in AWS, where their IAM system can be confused about which account is attempting to assume an IAM role. Their solution has been for the receiving account to create an "external ID" - a secret shared with the requesting account, and passed in the cross-account request. I don't recall whether that has been discussed here before.
3. I myself also presented at Identiverse 2025, about naming - with any lessons we might learn from human naming strategies as we go about naming machines. It was meant to just be a fun but hopefully thought-provoking talk. I actually briefly talked about object capabilities (just a picture of a Tahoe-LAFS file capability URL on slide 19 of https://identiverse.com/idv25/session/?idvid=2812727) and the idea of designating authority along with the "name" itself.
Cheers,
- johnk
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/cap-talk/CANpA1Z0qd_Avai4s_Us_WLHP8Mze8iA%3DxnDWd0RvGQx9OVwSAw%40mail.gmail.com.
Alan Karp
Jun 13, 2025, 4:08:28 PMJun 13
to cap-...@googlegroups.com
I read through your slides, and now I wish I could hear the talk. Was it recorded?
How widely recognized is the confused deputy vulnerability at Identiverse? I've been talking about it at IIW for over 15 years, and I'd say only about a quarter of the people I ask know anything about it.
Your AWS story is quite typical. People start with an identity centric design. They then find they need to add delegation, which they attempt to do with impersonation. When that causes problems, they add another epicycle. And on it goes.
--------------
Alan Karp
To view this discussion visit https://groups.google.com/d/msgid/cap-talk/CAGHrj6ASjr0FxCRrRf4km5_WYay0-xuUDiGQXGyYN0%2BKe%3DLF%3DA%40mail.gmail.com.
John Kemp
Jun 13, 2025, 5:20:07 PMJun 13
to cap-...@googlegroups.com, Alan Karp
El 06/13/25 a las 16:08, Alan Karp escribió:
>
> How widely recognized is the confused deputy vulnerability at
> Identiverse? I've been talking about it at IIW for over 15 years, and
> I'd say only about a quarter of the people I ask know anything about it.
I think most security (or identity) folk still know only of the issues
that are caused by "ambient authority".
For example, people talk of XSRF/CSRF in relation to browser requests,
and they say "oh that's solved by adding an XSRF token".
But very few people understand that this was caused at the very instant
Netscape decided to implement browser cookies in order to enable
shopping carts on the web, so we've been applying patches on patches
ever since. They understand the specific security issue, but not the
architectural one.
And for this Amazon case - it used to be true that an AWS "account" was
a real security boundary, so your IAM roles only worked within your own
account. And then they opened up cross-account access...
Amazon has their own quite-specific definition of confused deputy:
https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html
So I think again, we'll see a very specific issue be talked about, with
a very specific solution, only to ignore the architectural errors that
lead to the specific issue.
>
> Your AWS story is quite typical. People start with an identity centric
> design. They then find they need to add delegation, which they attempt
> to do with impersonation. When that causes problems, they add another
> epicycle. And on it goes.
Yes, I think that's a good summary. I don't think anything has changed :)
- johnk
>
> --------------
> Alan Karp
>
>
> On Fri, Jun 13, 2025 at 9:02 AM John Kemp <stable.p...@gmail.com
> <mailto:stable.p...@gmail.com>> wrote:
>
> A couple of related items:
>
> 1. The creator/wearer of that shirt told me he is planning to create
> a store and sell those shirts.
> 2. He works for AWS, where there is a very specific "confused
> deputy" problem - cross-account access in AWS, where their IAM
> system can be confused about which account is attempting to assume
> an IAM role. Their solution has been for the receiving account to
> create an "external ID" - a secret shared with the requesting
> account, and passed in the cross-account request. I don't recall
> whether that has been discussed here before.
> 3. I myself also presented at Identiverse 2025, about naming - with
> any lessons we might learn from human naming strategies as we go
> about naming machines. It was meant to just be a fun but hopefully
> thought-provoking talk. I actually briefly talked about object
> capabilities (just a picture of a Tahoe-LAFS file capability URL on
> slide 19 of https://identiverse.com/idv25/session/?idvid=2812727
> <https://identiverse.com/idv25/session/?idvid=2812727>) and the idea
> CANpA1Z0qd_Avai4s_Us_WLHP8Mze8iA%3DxnDWd0RvGQx9OVwSAw%40mail.gmail.com <https://groups.google.com/d/msgid/cap-talk/CANpA1Z0qd_Avai4s_Us_WLHP8Mze8iA%3DxnDWd0RvGQx9OVwSAw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> talk+uns...@googlegroups.com>.
> xuUDiGQXGyYN0%2BKe%3DLF%3DA%40mail.gmail.com <https://
> groups.google.com/d/msgid/cap-talk/CAGHrj6ASjr0FxCRrRf4km5_WYay0-
> xuUDiGQXGyYN0%2BKe%3DLF%3DA%40mail.gmail.com?
> utm_medium=email&utm_source=footer>.
> talk+uns...@googlegroups.com>.
> AdE0LDO8H8byoearBYA%40mail.gmail.com <https://groups.google.com/d/msgid/
> cap-talk/CANpA1Z1k_afEmw331oRpFTRzJ_9arK-
> AdE0LDO8H8byoearBYA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
Independent Security Architect
t: +1.413.645.4169
e: stable.p...@gmail.com
https://www.linkedin.com/in/johnk-am9obmsk/
https://github.com/frumioj
> I read through your slides, and now I wish I could hear the talk. Was
> it recorded?
Thanks. I believe so, and that eventually there will be a video.
> it recorded?
>
> How widely recognized is the confused deputy vulnerability at
> Identiverse? I've been talking about it at IIW for over 15 years, and
> I'd say only about a quarter of the people I ask know anything about it.
that are caused by "ambient authority".
For example, people talk of XSRF/CSRF in relation to browser requests,
and they say "oh that's solved by adding an XSRF token".
But very few people understand that this was caused at the very instant
Netscape decided to implement browser cookies in order to enable
shopping carts on the web, so we've been applying patches on patches
ever since. They understand the specific security issue, but not the
architectural one.
And for this Amazon case - it used to be true that an AWS "account" was
a real security boundary, so your IAM roles only worked within your own
account. And then they opened up cross-account access...
Amazon has their own quite-specific definition of confused deputy:
https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html
So I think again, we'll see a very specific issue be talked about, with
a very specific solution, only to ignore the architectural errors that
lead to the specific issue.
>
> Your AWS story is quite typical. People start with an identity centric
> design. They then find they need to add delegation, which they attempt
> to do with impersonation. When that causes problems, they add another
> epicycle. And on it goes.
- johnk
>
> --------------
> Alan Karp
>
>
> On Fri, Jun 13, 2025 at 9:02 AM John Kemp <stable.p...@gmail.com
> <mailto:stable.p...@gmail.com>> wrote:
>
> A couple of related items:
>
> 1. The creator/wearer of that shirt told me he is planning to create
> a store and sell those shirts.
> 2. He works for AWS, where there is a very specific "confused
> deputy" problem - cross-account access in AWS, where their IAM
> system can be confused about which account is attempting to assume
> an IAM role. Their solution has been for the receiving account to
> create an "external ID" - a secret shared with the requesting
> account, and passed in the cross-account request. I don't recall
> whether that has been discussed here before.
> 3. I myself also presented at Identiverse 2025, about naming - with
> any lessons we might learn from human naming strategies as we go
> about naming machines. It was meant to just be a fun but hopefully
> thought-provoking talk. I actually briefly talked about object
> capabilities (just a picture of a Tahoe-LAFS file capability URL on
> slide 19 of https://identiverse.com/idv25/session/?idvid=2812727
> of designating authority along with the "name" itself.
>
> Cheers,
>
> - johnk
>
> On Thu, Jun 12, 2025 at 11:55 PM Alan Karp <alan...@gmail.com
> <mailto:alan...@gmail.com>> wrote:
>
> Seen at Identiverse
>
>
> Cheers,
>
> - johnk
>
> On Thu, Jun 12, 2025 at 11:55 PM Alan Karp <alan...@gmail.com
> <mailto:alan...@gmail.com>> wrote:
>
> Seen at Identiverse
>
> image.png
>
> --------------
> Alan Karp
>
> --
> You received this message because you are subscribed to the
> Google Groups "cap-talk" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to cap-talk+u...@googlegroups.com
> <mailto:cap-talk+u...@googlegroups.com>.
>
> --------------
> Alan Karp
>
> --
> You received this message because you are subscribed to the
> Google Groups "cap-talk" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to cap-talk+u...@googlegroups.com
> CANpA1Z0qd_Avai4s_Us_WLHP8Mze8iA%3DxnDWd0RvGQx9OVwSAw%40mail.gmail.com <https://groups.google.com/d/msgid/cap-talk/CANpA1Z0qd_Avai4s_Us_WLHP8Mze8iA%3DxnDWd0RvGQx9OVwSAw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "cap-talk" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to cap-talk+u...@googlegroups.com <mailto:cap-
> --
> You received this message because you are subscribed to the Google
> Groups "cap-talk" group.
> To unsubscribe from this group and stop receiving emails from it,
> talk+uns...@googlegroups.com>.
> To view this discussion visit https://groups.google.com/d/msgid/cap-
> talk/CAGHrj6ASjr0FxCRrRf4km5_WYay0-
> xuUDiGQXGyYN0%2BKe%3DLF%3DA%40mail.gmail.com <https://
> groups.google.com/d/msgid/cap-talk/CAGHrj6ASjr0FxCRrRf4km5_WYay0-
> xuUDiGQXGyYN0%2BKe%3DLF%3DA%40mail.gmail.com?
> utm_medium=email&utm_source=footer>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "cap-talk" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to cap-talk+u...@googlegroups.com <mailto:cap-
> --
> You received this message because you are subscribed to the Google
> Groups "cap-talk" group.
> To unsubscribe from this group and stop receiving emails from it, send
> talk+uns...@googlegroups.com>.
> To view this discussion visit https://groups.google.com/d/msgid/cap-
> talk/CANpA1Z1k_afEmw331oRpFTRzJ_9arK-
> AdE0LDO8H8byoearBYA%40mail.gmail.com <https://groups.google.com/d/msgid/
> cap-talk/CANpA1Z1k_afEmw331oRpFTRzJ_9arK-
> AdE0LDO8H8byoearBYA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
Independent Security Architect
t: +1.413.645.4169
e: stable.p...@gmail.com
https://www.linkedin.com/in/johnk-am9obmsk/
https://github.com/frumioj
Reply all
Reply to author
Forward
0 new messages